dri3: prevent out-of-bounds read in dri3_fd_from_pixmap

Inspired by f05f269f1d Reported in https://gitlab.freedesktop.org/xorg/xserver/-/issues/1817: xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13: warning[-Wanalyzer-out-of-bounds]: stack-based buffer over-read xwayland-24.1.6/redhat-linux-build/../dri3/dri3_screen.c:143:13: danger: out-of-bounds read from byte 16 till byte 19 but ‘fds’ ends at byte 16 141| int i; 142| for (i = 0; i < num_fds; i++) 143|-> close(fds[i]); 144| return -1; 145| } Only possible if fds_from_pixmap returns a value > 4, but the analyzer doesn't know the interface is defined not to do that. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2085> Signed-off-by: stefan11111 <stefan11111@shitposting.expert>
2026-01-26 14:03:17 +00:00 · 2025-11-25 01:01:21 +02:00 · 2025-11-25 01:01:21 +02:00 · 7279a68cc7
commit 7279a68cc7
parent d64fc9b668
1 changed files with 3 additions and 2 deletions
--- a/dri3/dri3_screen.c
+++ b/dri3/dri3_screen.c
@ -28,6 +28,7 @@
 #include <randrstr.h>
 #include <drm_fourcc.h>
 #include <unistd.h>
+#include <assert.h>

 int
 dri3_open(ClientPtr client, ScreenPtr screen, RRProviderPtr provider, int *fd)
@ -139,8 +140,8 @@ dri3_fd_from_pixmap(PixmapPtr pixmap, CARD16 *stride, CARD32 *size)
    num_fds = info->fds_from_pixmap(screen, pixmap, fds, strides, offsets,
                                    &modifier);
    if (num_fds != 1 || offsets[0] != 0) {
-        int i;
-        for (i = 0; i < num_fds; i++)
+        assert(num_fds <= 4);
+        for (int i = 0; i < num_fds; i++)
            close(fds[i]);
        return -1;
    }